https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030257#M438450 <HTML><HEAD></HEAD><BODY><P>Hi Varun,</P><P></P><P>Thanks!</P><P></P><P>I have more one question.</P><P>My ACL HitCount is 0, its correct? </P><P>If i create a service policy and put in the interface(not in the global) the hitcount begins to appear, why?</P><P></P><P>Thanks again!</P></BODY></HTML> Wed, 12 Sep 2012 14:45:20 GMT Rafael Mendes 2012-09-12T14:45:20Z https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030255#M438444 <P>Hello Guys,</P><P></P><P>I Have a problem here.</P><P>We deploy a citrix, and i need set no timeout for especific traffic.</P><P></P><P>So, i create this configuration:</P><P></P><P>show access-list TimeOutCitrix</P><P>access-list TimeOutCitrix; 7 elements</P><P>access-list TimeOutCitrix line 1 extended permit ip any host 172.17.2.129 log informational interval 300 (<STRONG>hitcnt=0</STRONG>) 0x238cd297</P><P>access-list TimeOutCitrix line 2 extended permit ip any host 172.17.2.130 log informational interval 300 (<STRONG>hitcnt=0</STRONG>) 0x80b4c299</P><P>access-list TimeOutCitrix line 3 extended permit ip any host 172.17.2.218 log informational interval 300 (<STRONG>hitcnt=0</STRONG>) 0x726d7587</P><P>access-list TimeOutCitrix line 4 extended permit ip any host 172.17.2.224 log informational interval 300 (hitcnt=0) 0x6d9499e1</P><P>access-list TimeOutCitrix line 5 extended permit ip any host 172.17.2.226 log informational interval 300 (hitcnt=0) 0x95465853</P><P>access-list TimeOutCitrix line 6 extended permit ip any host 172.17.2.227 log informational interval 300 (hitcnt=0) 0x76a9ab24</P><P>access-list TimeOutCitrix line 7 extended permit ip any host 172.17.2.232 log informational interval 300 (hitcnt=0) 0x3e7867ad</P><P></P><P>class-map TimeOutCitrix</P><P> match access-list TimeOutCitrix</P><P></P><P>policy-map global_policy</P><P> class TimeOutCitrix</P><P>&nbsp; set connection timeout tcp 0:00:00</P><P></P><P>service-policy global_policy global</P><P></P><P>But, the session still keep the timeout in 1 hour.</P><P>I have this timeout configuration in my firewall(out of the class map).</P><P></P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P></P><P></P><P>TCP rede_filiais:10.82.16.15/3356 rede_servidores:172.17.2.130/2598,</P><P>&nbsp;&nbsp;&nbsp; flags UIOB, idle 1s, uptime 54m21s, timeout <STRONG>1h0m</STRONG>, bytes 154204</P><P></P><P></P><P>The question is, why this occurs? What i need do for change this traffic timeout? Why the </P><P>hitcnt in the acl is 0? </P><P></P><P></P><P>Tks!</P> Mon, 11 Mar 2019 23:53:15 GMT https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030255#M438444 Rafael Mendes 2019-03-11T23:53:15Z https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030256#M438448 <HTML><HEAD></HEAD><BODY><P>Hi rafael,</P><P></P><P>Once you implement the policy, you need to do a "Clear conn" and "Clear xlates", so that the new connections would fall under your policy map.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 12 Sep 2012 14:35:03 GMT https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030256#M438448 varrao 2012-09-12T14:35:03Z https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030257#M438450 <HTML><HEAD></HEAD><BODY><P>Hi Varun,</P><P></P><P>Thanks!</P><P></P><P>I have more one question.</P><P>My ACL HitCount is 0, its correct? </P><P>If i create a service policy and put in the interface(not in the global) the hitcount begins to appear, why?</P><P></P><P>Thanks again!</P></BODY></HTML> Wed, 12 Sep 2012 14:45:20 GMT https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030257#M438450 Rafael Mendes 2012-09-12T14:45:20Z https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030258#M438452 <HTML><HEAD></HEAD><BODY><P>Hi Rafael,</P><P></P><P>You would see the hitcounts in the ACL, wat you can verify is the output of :show service-policy" this would tell you if the packets are falling under the policy or not. </P><P></P><P>Although applying it on the interface would take more preference than the global policy, so if it does not work for the global, you can try changing it to interface.</P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 12 Sep 2012 15:15:12 GMT https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030258#M438452 varrao 2012-09-12T15:15:12Z https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030259#M438454 <HTML><HEAD></HEAD><BODY><P>Ok Varun.</P><P></P><P>Now i see the "no timeout" in the output of command "show conn detail".</P><P></P><P>TCP rede_filiais:10.82.16.15/3826 rede_servidores:172.17.2.130/2598,</P><P>&nbsp;&nbsp;&nbsp; flags UIOB, idle 1s, uptime 32m16s, <STRONG>timeout </STRONG>-, bytes 154944</P><P></P><P>Thank you.</P><P></P><P>Rafael</P></BODY></HTML> Wed, 12 Sep 2012 19:22:25 GMT https://community.cisco.com/t5/network-security/change-timeout-session/m-p/2030259#M438454 Rafael Mendes 2012-09-12T19:22:25Z